Describe and critically analyse the approach you will take from a technical perspective to develop an understanding of what has happened
You need to act swiftly to preserve as much evidence as you need to uncover what is going on. TDS is not expecting any downtime at the moment. . What will you request access to, and how will you use that data or information provided? Consider multiple possibilities without coming to early conclusions. Establish some sort of process and express it possibly with the help of a diagram, flow chart, or other. Identify any tools you may use, including built-in tools. Remark upon the impact on the business of the approach(es) you decide to take.
CDFnS Makes Progress Following Task 1, you find out that: Some logs have been deleted on the Server (the security logs that are normally viewable in Event Viewer). Thousands of logon attempts were made from the Windows 7 client to the Windows Server before successfully getting access to the admin account. These attempts were made from the client machine on the same evening that it was also downloading files from the file server under the user’s account, with access to limited number of files. Some logs have been deleted on the Windows 7 client. Once the attacker had gained access to the Server admin account, he could access any files on the file server, and more confidential files were accessed. Neither the Windows 7 client nor the Windows Server 2019 have been rebooted since the event. You propose to take a memory dump and copy of the hard disks for each machine. TDS would like to get to the bottom of this, and accepts, even if they have to take the server offline overnight (for not more than 12 hours).
Task 2: (40%) Explain the benefit of taking memory and disk copies of both machines.
For each, what can you expect to determine? For either the Windows 7 client or the Windows Server 2019: Describe briefly the process of taking a memory copy and a disk copy, minimising impact. For both memory and disk images, describe and critically analyse the approach you would take from a technical perspective to develop a further understanding of what has happened. Identify any tools you may use, and the use of those tools. Consider the precaution taken and the reason for those cautions